1 /*        $NetBSD: ntp-keygen.c,v 1.16 2024/08/18 20:47:27 christos Exp $       */
2 
3 /*
4  * Program to generate cryptographic keys for ntp clients and servers
5  *
6  * This program generates password encrypted data files for use with the
7  * Autokey security protocol and Network Time Protocol Version 4. Files
8  * are prefixed with a header giving the name and date of creation
9  * followed by a type-specific descriptive label and PEM-encoded data
10  * structure compatible with programs of the OpenSSL library.
11  *
12  * All file names are like "ntpkey_<type>_<hostname>.<filestamp>", where
13  * <type> is the file type, <hostname> the generating host name and
14  * <filestamp> the generation time in NTP seconds. The NTP programs
15  * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
16  * association maintained by soft links. Following is a list of file
17  * types; the first line is the file name and the second link name.
18  *
19  * ntpkey_MD5key_<hostname>.<filestamp>
20  *        MD5 (128-bit) keys used to compute message digests in symmetric
21  *        key cryptography
22  *
23  * ntpkey_RSAhost_<hostname>.<filestamp>
24  * ntpkey_host_<hostname>
25  *        RSA private/public host key pair used for public key signatures
26  *
27  * ntpkey_RSAsign_<hostname>.<filestamp>
28  * ntpkey_sign_<hostname>
29  *        RSA private/public sign key pair used for public key signatures
30  *
31  * ntpkey_DSAsign_<hostname>.<filestamp>
32  * ntpkey_sign_<hostname>
33  *        DSA Private/public sign key pair used for public key signatures
34  *
35  * Available digest/signature schemes
36  *
37  * RSA:   RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
38  * DSA:   DSA-SHA, DSA-SHA1
39  *
40  * ntpkey_XXXcert_<hostname>.<filestamp>
41  * ntpkey_cert_<hostname>
42  *        X509v3 certificate using RSA or DSA public keys and signatures.
43  *        XXX is a code identifying the message digest and signature
44  *        encryption algorithm
45  *
46  * Identity schemes. The key type par is used for the challenge; the key
47  * type key is used for the response.
48  *
49  * ntpkey_IFFkey_<groupname>.<filestamp>
50  * ntpkey_iffkey_<groupname>
51  *        Schnorr (IFF) identity parameters and keys
52  *
53  * ntpkey_GQkey_<groupname>.<filestamp>,
54  * ntpkey_gqkey_<groupname>
55  *        Guillou-Quisquater (GQ) identity parameters and keys
56  *
57  * ntpkey_MVkeyX_<groupname>.<filestamp>,
58  * ntpkey_mvkey_<groupname>
59  *        Mu-Varadharajan (MV) identity parameters and keys
60  *
61  * Note: Once in a while because of some statistical fluke this program
62  * fails to generate and verify some cryptographic data, as indicated by
63  * exit status -1. In this case simply run the program again. If the
64  * program does complete with exit code 0, the data are correct as
65  * verified.
66  *
67  * These cryptographic routines are characterized by the prime modulus
68  * size in bits. The default value of 512 bits is a compromise between
69  * cryptographic strength and computing time and is ordinarily
70  * considered adequate for this application. The routines have been
71  * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
72  * digest and signature encryption schemes work with sizes less than 512
73  * bits. The computing time for sizes greater than 2048 bits is
74  * prohibitive on all but the fastest processors. An UltraSPARC Blade
75  * 1000 took something over nine minutes to generate and verify the
76  * values with size 2048. An old SPARC IPC would take a week.
77  *
78  * The OpenSSL library used by this program expects a random seed file.
79  * As described in the OpenSSL documentation, the file name defaults to
80  * first the RANDFILE environment variable in the user's home directory
81  * and then .rnd in the user's home directory.
82  */
83 #ifdef HAVE_CONFIG_H
84 # include <config.h>
85 #endif
86 #include <string.h>
87 #include <stdio.h>
88 #include <stdlib.h>
89 #include <unistd.h>
90 #include <sys/stat.h>
91 #include <sys/time.h>
92 #include <sys/types.h>
93 
94 #include "ntp.h"
95 #include "ntp_random.h"
96 #include "ntp_stdlib.h"
97 #include "ntp_assert.h"
98 #include "ntp_libopts.h"
99 #include "ntp_unixtime.h"
100 #include "ntp-keygen-opts.h"
101 
102 #ifdef OPENSSL
103 #include "openssl/asn1.h"
104 #include "openssl/bn.h"
105 #include "openssl/crypto.h"
106 #include "openssl/evp.h"
107 #include "openssl/err.h"
108 #include "openssl/rand.h"
109 #include "openssl/opensslv.h"
110 #include "openssl/pem.h"
111 #include "openssl/x509.h"
112 #include "openssl/x509v3.h"
113 #include <openssl/objects.h>
114 #include "libssl_compat.h"
115 #endif    /* OPENSSL */
116 #include <ssl_applink.c>
117 
118 #define _UC(str)    ((char *)(intptr_t)(str))
119 /*
120  * Cryptodefines
121  */
122 #define   MD5KEYS             10        /* number of keys generated of each type */
123 #define   MD5SIZE             20        /* maximum key size */
124 #ifdef AUTOKEY
125 #define   PLEN                512       /* default prime modulus size (bits) */
126 #define   ILEN                512       /* default identity modulus size (bits) */
127 #define   MVMAX               100       /* max MV parameters */
128 
129 /*
130  * Strings used in X509v3 extension fields
131  */
132 #define KEY_USAGE             "digitalSignature,keyCertSign"
133 #define BASIC_CONSTRAINTS     "critical,CA:TRUE"
134 #define EXT_KEY_PRIVATE                 "private"
135 #define EXT_KEY_TRUST                   "trustRoot"
136 #endif    /* AUTOKEY */
137 
138 /*
139  * Prototypes
140  */
141 FILE      *fheader  (const char *, const char *, const char *);
142 int       gen_md5             (const char *);
143 void      followlink          (char *, size_t);
144 #ifdef AUTOKEY
145 EVP_PKEY *gen_rsa   (const char *);
146 EVP_PKEY *gen_dsa   (const char *);
147 EVP_PKEY *gen_iffkey          (const char *);
148 EVP_PKEY *gen_gqkey (const char *);
149 EVP_PKEY *gen_mvkey (const char *, EVP_PKEY **);
150 void      gen_mvserv          (char *, EVP_PKEY **);
151 int       x509                (EVP_PKEY *, const EVP_MD *, char *, const char *,
152                                   char *);
153 void      cb                  (int, int, void *);
154 EVP_PKEY *genkey    (const char *, const char *);
155 EVP_PKEY *readkey   (char *, char *, u_int *, EVP_PKEY **);
156 void      writekey  (char *, char *, u_int *, EVP_PKEY **);
157 u_long    asn2ntp             (ASN1_TIME *);
158 
159 static DSA* genDsaParams(int, char*);
160 static RSA* genRsaKeyPair(int, char*);
161 
162 #endif    /* AUTOKEY */
163 
164 /*
165  * Program variables
166  */
167 extern char *optarg;                    /* command line argument */
168 char      const *progname;
169 u_int     lifetime = DAYSPERYEAR;       /* certificate lifetime (days) */
170 int       nkeys;                        /* MV keys */
171 time_t    epoch;                        /* Unix epoch (seconds) since 1970 */
172 u_int     fstamp;                       /* NTP filestamp */
173 char      hostbuf[MAXHOSTNAME + 1];
174 char      *hostname = NULL;   /* host, used in cert filenames */
175 char      *groupname = NULL;  /* group name */
176 char      certnamebuf[2 * sizeof(hostbuf)];
177 char      *certname = NULL;   /* certificate subject/issuer name */
178 char      *passwd1 = NULL;    /* input private key password */
179 char      *passwd2 = NULL;    /* output private key password */
180 char      filename[MAXFILENAME + 1]; /* file name */
181 #ifdef AUTOKEY
182 u_int     modulus = PLEN;               /* prime modulus size (bits) */
183 u_int     modulus2 = ILEN;    /* identity modulus size (bits) */
184 long      d0, d1, d2, d3;               /* callback counters */
185 const EVP_CIPHER * cipher = NULL;
186 #endif    /* AUTOKEY */
187 
188 #ifdef SYS_WINNT
189 BOOL init_randfile();
190 
191 /*
192  * Don't try to follow symbolic links on Windows.  Assume link == file.
193  */
194 int
readlink(char * link,char * file,int len)195 readlink(
196           char *    link,
197           char *    file,
198           int       len
199           )
200 {
201           return (int)strlen(file); /* assume no overflow possible */
202 }
203 
204 /*
205  * Don't try to create symbolic links on Windows, that is supported on
206  * Vista and later only.  Instead, if CreateHardLink is available (XP
207  * and later), hardlink the linkname to the original filename.  On
208  * earlier systems, user must rename file to match expected link for
209  * ntpd to find it.  To allow building a ntp-keygen.exe which loads on
210  * Windows pre-XP, runtime link to CreateHardLinkA().
211  */
212 int
symlink(char * filename,char * linkname)213 symlink(
214           char *    filename,
215           char*     linkname
216           )
217 {
218           typedef BOOL (WINAPI *PCREATEHARDLINKA)(
219                     __in LPCSTR         lpFileName,
220                     __in LPCSTR         lpExistingFileName,
221                     __reserved LPSECURITY_ATTRIBUTES lpSA
222                     );
223           static PCREATEHARDLINKA pCreateHardLinkA;
224           static int                    tried;
225           HMODULE                       hDll;
226           FARPROC                       pfn;
227           int                           link_created;
228           int                           saved_errno;
229 
230           if (!tried) {
231                     tried = TRUE;
232                     hDll = LoadLibrary("kernel32");
233                     pfn = GetProcAddress(hDll, "CreateHardLinkA");
234                     pCreateHardLinkA = (PCREATEHARDLINKA)pfn;
235           }
236 
237           if (NULL == pCreateHardLinkA) {
238                     errno = ENOSYS;
239                     return -1;
240           }
241 
242           link_created = (*pCreateHardLinkA)(linkname, filename, NULL);
243 
244           if (link_created)
245                     return 0;
246 
247           saved_errno = GetLastError(); /* yes we play loose */
248           mfprintf(stderr, "Create hard link %s to %s failed: %m\n",
249                      linkname, filename);
250           errno = saved_errno;
251           return -1;
252 }
253 
254 void
InitWin32Sockets()255 InitWin32Sockets() {
256           WORD wVersionRequested;
257           WSADATA wsaData;
258           wVersionRequested = MAKEWORD(2,0);
259           if (WSAStartup(wVersionRequested, &wsaData))
260           {
261                     fprintf(stderr, "No useable winsock.dll\n");
262                     exit(1);
263           }
264 }
265 #endif /* SYS_WINNT */
266 
267 
268 /*
269  * followlink() - replace filename with its target if symlink.
270  *
271  * readlink() does not null-terminate the result.
272  */
273 void
followlink(char * fname,size_t bufsiz)274 followlink(
275           char *    fname,
276           size_t    bufsiz
277           )
278 {
279           ssize_t   len;
280           char *    target;
281 
282           REQUIRE(bufsiz > 0 && bufsiz <= SSIZE_MAX);
283 
284           target = emalloc(bufsiz);
285           len = readlink(fname, target, bufsiz);
286           if (len < 0) {
287                     fname[0] = '\0';
288                     return;
289           }
290           if ((size_t)len > bufsiz - 1)
291                     len = bufsiz - 1;
292           memcpy(fname, target, len);
293           fname[len] = '\0';
294           free(target);
295 }
296 
297 
298 /*
299  * Main program
300  */
301 int
main(int argc,char ** argv)302 main(
303           int       argc,               /* command line options */
304           char      **argv
305           )
306 {
307           struct timeval tv;  /* initialization vector */
308           int       md5key = 0;         /* generate MD5 keys */
309           int       optct;              /* option count */
310 #ifdef AUTOKEY
311           X509      *cert = NULL;       /* X509 certificate */
312           EVP_PKEY *pkey_host = NULL; /* host key */
313           EVP_PKEY *pkey_sign = NULL; /* sign key */
314           EVP_PKEY *pkey_iffkey = NULL; /* IFF sever keys */
315           EVP_PKEY *pkey_gqkey = NULL; /* GQ server keys */
316           EVP_PKEY *pkey_mvkey = NULL; /* MV trusted agen keys */
317           EVP_PKEY *pkey_mvpar[MVMAX]; /* MV cleient keys */
318           int       hostkey = 0;        /* generate RSA keys */
319           int       iffkey = 0;         /* generate IFF keys */
320           int       gqkey = 0;          /* generate GQ keys */
321           int       mvkey = 0;          /* update MV keys */
322           int       mvpar = 0;          /* generate MV parameters */
323           char      *sign = NULL;       /* sign key */
324           EVP_PKEY *pkey = NULL;        /* temp key */
325           const EVP_MD *ectx; /* EVP digest */
326           char      pathbuf[MAXFILENAME + 1];
327           const char *scheme = NULL; /* digest/signature scheme */
328           const char *ciphername = NULL; /* to encrypt priv. key */
329           const char *exten = NULL;     /* private extension */
330           char      *grpkey = NULL;     /* identity extension */
331           int       nid;                /* X509 digest/signature scheme */
332           FILE      *fstr = NULL;       /* file handle */
333           char      groupbuf[MAXHOSTNAME + 1];
334           u_int     temp;
335           BIO *     bp;
336           int       i, cnt;
337           char *    ptr;
338 #endif    /* AUTOKEY */
339 #ifdef OPENSSL
340           const char *sslvtext;
341           int sslvmatch;
342 #endif /* OPENSSL */
343 
344           progname = argv[0];
345 
346 #ifdef SYS_WINNT
347           /* Initialize before OpenSSL checks */
348           InitWin32Sockets();
349           if (!init_randfile())
350                     fprintf(stderr, "Unable to initialize .rnd file\n");
351           ssl_applink();
352 #endif
353 
354 #ifdef OPENSSL
355           ssl_check_version();
356 #endif    /* OPENSSL */
357 
358           ntp_crypto_srandom();
359 
360           /*
361            * Process options, initialize host name and timestamp.
362            * gethostname() won't null-terminate if hostname is exactly the
363            * length provided for the buffer.
364            */
365           gethostname(hostbuf, sizeof(hostbuf) - 1);
366           hostbuf[COUNTOF(hostbuf) - 1] = '\0';
367           hostname = hostbuf;
368           groupname = hostbuf;
369           passwd1 = hostbuf;
370           passwd2 = NULL;
371           GETTIMEOFDAY(&tv, NULL);
372           epoch = tv.tv_sec;
373           fstamp = (u_int)(epoch + JAN_1970);
374 
375           optct = ntpOptionProcess(&ntp_keygenOptions, argc, argv);
376           argc -= optct;      // Just in case we care later.
377           argv += optct;      // Just in case we care later.
378 
379 #ifdef OPENSSL
380           sslvtext = OpenSSL_version(OPENSSL_VERSION);
381           sslvmatch = OpenSSL_version_num() == OPENSSL_VERSION_NUMBER;
382           if (sslvmatch)
383                     fprintf(stderr, "Using OpenSSL version %s\n",
384                               sslvtext);
385           else
386                     fprintf(stderr, "Built against OpenSSL %s, using version %s\n",
387                               OPENSSL_VERSION_TEXT, sslvtext);
388 #endif /* OPENSSL */
389 
390           debug = OPT_VALUE_SET_DEBUG_LEVEL;
391 
392           if (HAVE_OPT( MD5KEY ))
393                     md5key++;
394 #ifdef AUTOKEY
395           if (HAVE_OPT( PASSWORD ))
396                     passwd1 = estrdup(OPT_ARG( PASSWORD ));
397 
398           if (HAVE_OPT( EXPORT_PASSWD ))
399                     passwd2 = estrdup(OPT_ARG( EXPORT_PASSWD ));
400 
401           if (HAVE_OPT( HOST_KEY ))
402                     hostkey++;
403 
404           if (HAVE_OPT( SIGN_KEY ))
405                     sign = estrdup(OPT_ARG( SIGN_KEY ));
406 
407           if (HAVE_OPT( GQ_PARAMS ))
408                     gqkey++;
409 
410           if (HAVE_OPT( IFFKEY ))
411                     iffkey++;
412 
413           if (HAVE_OPT( MV_PARAMS )) {
414                     mvkey++;                      /* DLH are these two swapped? */
415                     nkeys = OPT_VALUE_MV_PARAMS;
416           }
417           if (HAVE_OPT( MV_KEYS )) {
418                     mvpar++;  /* not used! */     /* DLH are these two swapped? */
419                     nkeys = OPT_VALUE_MV_KEYS;
420           }
421 
422           if (HAVE_OPT( IMBITS ))
423                     modulus2 = OPT_VALUE_IMBITS;
424 
425           if (HAVE_OPT( MODULUS ))
426                     modulus = OPT_VALUE_MODULUS;
427 
428           if (HAVE_OPT( CERTIFICATE ))
429                     scheme = OPT_ARG( CERTIFICATE );
430 
431           if (HAVE_OPT( CIPHER ))
432                     ciphername = OPT_ARG( CIPHER );
433 
434           if (HAVE_OPT( SUBJECT_NAME ))
435                     hostname = estrdup(OPT_ARG( SUBJECT_NAME ));
436 
437           if (HAVE_OPT( IDENT ))
438                     groupname = estrdup(OPT_ARG( IDENT ));
439 
440           if (HAVE_OPT( LIFETIME ))
441                     lifetime = OPT_VALUE_LIFETIME;
442 
443           if (HAVE_OPT( PVT_CERT ))
444                     exten = EXT_KEY_PRIVATE;
445 
446           if (HAVE_OPT( TRUSTED_CERT ))
447                     exten = EXT_KEY_TRUST;
448 
449           /*
450            * Remove the group name from the hostname variable used
451            * in host and sign certificate file names.
452            */
453           if (hostname != hostbuf)
454                     ptr = strchr(hostname, '@');
455           else
456                     ptr = NULL;
457           if (ptr != NULL) {
458                     *ptr = '\0';
459                     groupname = estrdup(ptr + 1);
460                     /* -s @group is equivalent to -i group, host unch. */
461                     if (ptr == hostname)
462                               hostname = hostbuf;
463           }
464 
465           /*
466            * Derive host certificate issuer/subject names from host name
467            * and optional group.  If no groupname is provided, the issuer
468            * and subject is the hostname with no '@group', and the
469            * groupname variable is pointed to hostname for use in IFF, GQ,
470            * and MV parameters file names.
471            */
472           if (groupname == hostbuf) {
473                     certname = hostname;
474           } else {
475                     snprintf(certnamebuf, sizeof(certnamebuf), "%s@%s",
476                                hostname, groupname);
477                     certname = certnamebuf;
478           }
479 
480           /*
481            * Seed random number generator and grow weeds.
482            */
483 #if OPENSSL_VERSION_NUMBER < 0x10100000L
484           ERR_load_crypto_strings();
485           OpenSSL_add_all_algorithms();
486 #endif /* OPENSSL_VERSION_NUMBER */
487           if (!RAND_status()) {
488                     if (RAND_file_name(pathbuf, sizeof(pathbuf)) == NULL) {
489                               fprintf(stderr, "RAND_file_name %s\n",
490                                   ERR_error_string(ERR_get_error(), NULL));
491                               exit (-1);
492                     }
493                     temp = RAND_load_file(pathbuf, -1);
494                     if (temp == 0) {
495                               fprintf(stderr,
496                                   "RAND_load_file %s not found or empty\n",
497                                   pathbuf);
498                               exit (-1);
499                     }
500                     fprintf(stderr,
501                         "Random seed file %s %u bytes\n", pathbuf, temp);
502                     RAND_add(&epoch, sizeof(epoch), 4.0);
503           }
504 #endif    /* AUTOKEY */
505 
506           /*
507            * Create new unencrypted MD5 keys file if requested. If this
508            * option is selected, ignore all other options.
509            */
510           if (md5key) {
511                     gen_md5("md5");
512                     exit (0);
513           }
514 
515 #ifdef AUTOKEY
516           /*
517            * Load previous certificate if available.
518            */
519           snprintf(filename, sizeof(filename), "ntpkey_cert_%s", hostname);
520           if ((fstr = fopen(filename, "r")) != NULL) {
521                     cert = PEM_read_X509(fstr, NULL, NULL, NULL);
522                     fclose(fstr);
523           }
524           if (cert != NULL) {
525 
526                     /*
527                      * Extract subject name.
528                      */
529                     X509_NAME_oneline(X509_get_subject_name(cert), groupbuf,
530                         MAXFILENAME);
531 
532                     /*
533                      * Extract digest/signature scheme.
534                      */
535                     if (scheme == NULL) {
536                               nid = X509_get_signature_nid(cert);
537                               scheme = OBJ_nid2sn(nid);
538                     }
539 
540                     /*
541                      * If a key_usage extension field is present, determine
542                      * whether this is a trusted or private certificate.
543                      */
544                     if (exten == NULL) {
545                               ptr = strstr(groupbuf, "CN=");
546                               cnt = X509_get_ext_count(cert);
547                               for (i = 0; i < cnt; i++) {
548                                         X509_EXTENSION *ext;
549                                         ASN1_OBJECT *obj;
550 
551                                         ext = X509_get_ext(cert, i);
552                                         obj = X509_EXTENSION_get_object(ext);
553 
554                                         if (OBJ_obj2nid(obj) ==
555                                             NID_ext_key_usage) {
556                                                   bp = BIO_new(BIO_s_mem());
557                                                   X509V3_EXT_print(bp, ext, 0, 0);
558                                                   BIO_gets(bp, pathbuf,
559                                                       MAXFILENAME);
560                                                   BIO_free(bp);
561                                                   if (strcmp(pathbuf,
562                                                       "Trust Root") == 0)
563                                                             exten = EXT_KEY_TRUST;
564                                                   else if (strcmp(pathbuf,
565                                                       "Private") == 0)
566                                                             exten = EXT_KEY_PRIVATE;
567                                                   certname = estrdup(ptr + 3);
568                                         }
569                               }
570                     }
571           }
572           if (scheme == NULL)
573                     scheme = "RSA-MD5";
574           if (ciphername == NULL)
575                     ciphername = "des-ede3-cbc";
576           cipher = EVP_get_cipherbyname(ciphername);
577           if (cipher == NULL) {
578                     fprintf(stderr, "Unknown cipher %s\n", ciphername);
579                     exit(-1);
580           }
581           fprintf(stderr, "Using host %s group %s\n", hostname,
582               groupname);
583 
584           /*
585            * Create a new encrypted RSA host key file if requested;
586            * otherwise, look for an existing host key file. If not found,
587            * create a new encrypted RSA host key file. If that fails, go
588            * no further.
589            */
590           if (hostkey)
591                     pkey_host = genkey("RSA", "host");
592           if (pkey_host == NULL) {
593                     snprintf(filename, sizeof(filename), "ntpkey_host_%s", hostname);
594                     pkey_host = readkey(filename, passwd1, &fstamp, NULL);
595                     if (pkey_host != NULL) {
596                               followlink(filename, sizeof(filename));
597                               fprintf(stderr, "Using host key %s\n",
598                                   filename);
599                     } else {
600                               pkey_host = genkey("RSA", "host");
601                     }
602           }
603           if (pkey_host == NULL) {
604                     fprintf(stderr, "Generating host key fails\n");
605                     exit(-1);
606           }
607 
608           /*
609            * Create new encrypted RSA or DSA sign keys file if requested;
610            * otherwise, look for an existing sign key file. If not found,
611            * use the host key instead.
612            */
613           if (sign != NULL)
614                     pkey_sign = genkey(sign, "sign");
615           if (pkey_sign == NULL) {
616                     snprintf(filename, sizeof(filename), "ntpkey_sign_%s",
617                                hostname);
618                     pkey_sign = readkey(filename, passwd1, &fstamp, NULL);
619                     if (pkey_sign != NULL) {
620                               followlink(filename, sizeof(filename));
621                               fprintf(stderr, "Using sign key %s\n",
622                                   filename);
623                     } else {
624                               pkey_sign = pkey_host;
625                               fprintf(stderr, "Using host key as sign key\n");
626                     }
627           }
628 
629           /*
630            * Create new encrypted GQ server keys file if requested;
631            * otherwise, look for an exisiting file. If found, fetch the
632            * public key for the certificate.
633            */
634           if (gqkey)
635                     pkey_gqkey = gen_gqkey("gqkey");
636           if (pkey_gqkey == NULL) {
637                     snprintf(filename, sizeof(filename), "ntpkey_gqkey_%s",
638                         groupname);
639                     pkey_gqkey = readkey(filename, passwd1, &fstamp, NULL);
640                     if (pkey_gqkey != NULL) {
641                               followlink(filename, sizeof(filename));
642                               fprintf(stderr, "Using GQ parameters %s\n",
643                                   filename);
644                     }
645           }
646           if (pkey_gqkey != NULL) {
647                     RSA                 *rsa;
648                     const BIGNUM        *q;
649 
650                     rsa = EVP_PKEY_get1_RSA(pkey_gqkey);
651                     RSA_get0_factors(rsa, NULL, &q);
652                     grpkey = BN_bn2hex(q);
653                     RSA_free(rsa);
654           }
655 
656           /*
657            * Write the nonencrypted GQ client parameters to the stdout
658            * stream. The parameter file is the server key file with the
659            * private key obscured.
660            */
661           if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) {
662                     RSA       *rsa;
663 
664                     snprintf(filename, sizeof(filename),
665                         "ntpkey_gqpar_%s.%u", groupname, fstamp);
666                     fprintf(stderr, "Writing GQ parameters %s to stdout\n",
667                         filename);
668                     fprintf(stdout, "# %s\n# %s\n", filename,
669                         ctime(&epoch));
670                     rsa = EVP_PKEY_get1_RSA(pkey_gqkey);
671                     RSA_set0_factors(rsa, BN_dup(BN_value_one()), BN_dup(BN_value_one()));
672                     pkey = EVP_PKEY_new();
673                     EVP_PKEY_assign_RSA(pkey, rsa);
674                     PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
675                         NULL, NULL);
676                     fflush(stdout);
677                     if (debug) {
678                               RSA_print_fp(stderr, rsa, 0);
679                     }
680                     EVP_PKEY_free(pkey);
681                     pkey = NULL;
682                     RSA_free(rsa);
683           }
684 
685           /*
686            * Write the encrypted GQ server keys to the stdout stream.
687            */
688           if (pkey_gqkey != NULL && passwd2 != NULL) {
689                     RSA       *rsa;
690 
691                     snprintf(filename, sizeof(filename),
692                         "ntpkey_gqkey_%s.%u", groupname, fstamp);
693                     fprintf(stderr, "Writing GQ keys %s to stdout\n",
694                         filename);
695                     fprintf(stdout, "# %s\n# %s\n", filename,
696                         ctime(&epoch));
697                     rsa = EVP_PKEY_get1_RSA(pkey_gqkey);
698                     pkey = EVP_PKEY_new();
699                     EVP_PKEY_assign_RSA(pkey, rsa);
700                     PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
701                         NULL, passwd2);
702                     fflush(stdout);
703                     if (debug) {
704                               RSA_print_fp(stderr, rsa, 0);
705                     }
706                     EVP_PKEY_free(pkey);
707                     pkey = NULL;
708                     RSA_free(rsa);
709           }
710 
711           /*
712            * Create new encrypted IFF server keys file if requested;
713            * otherwise, look for existing file.
714            */
715           if (iffkey)
716                     pkey_iffkey = gen_iffkey("iffkey");
717           if (pkey_iffkey == NULL) {
718                     snprintf(filename, sizeof(filename), "ntpkey_iffkey_%s",
719                         groupname);
720                     pkey_iffkey = readkey(filename, passwd1, &fstamp, NULL);
721                     if (pkey_iffkey != NULL) {
722                               followlink(filename, sizeof(filename));
723                               fprintf(stderr, "Using IFF keys %s\n",
724                                   filename);
725                     }
726           }
727 
728           /*
729            * Write the nonencrypted IFF client parameters to the stdout
730            * stream. The parameter file is the server key file with the
731            * private key obscured.
732            */
733           if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) {
734                     DSA       *dsa;
735 
736                     snprintf(filename, sizeof(filename),
737                         "ntpkey_iffpar_%s.%u", groupname, fstamp);
738                     fprintf(stderr, "Writing IFF parameters %s to stdout\n",
739                         filename);
740                     fprintf(stdout, "# %s\n# %s\n", filename,
741                         ctime(&epoch));
742                     dsa = EVP_PKEY_get1_DSA(pkey_iffkey);
743                     DSA_set0_key(dsa, NULL, BN_dup(BN_value_one()));
744                     pkey = EVP_PKEY_new();
745                     EVP_PKEY_assign_DSA(pkey, dsa);
746                     PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
747                         NULL, NULL);
748                     fflush(stdout);
749                     if (debug) {
750                               DSA_print_fp(stderr, dsa, 0);
751                     }
752                     EVP_PKEY_free(pkey);
753                     pkey = NULL;
754                     DSA_free(dsa);
755           }
756 
757           /*
758            * Write the encrypted IFF server keys to the stdout stream.
759            */
760           if (pkey_iffkey != NULL && passwd2 != NULL) {
761                     DSA       *dsa;
762 
763                     snprintf(filename, sizeof(filename),
764                         "ntpkey_iffkey_%s.%u", groupname, fstamp);
765                     fprintf(stderr, "Writing IFF keys %s to stdout\n",
766                         filename);
767                     fprintf(stdout, "# %s\n# %s\n", filename,
768                         ctime(&epoch));
769                     dsa = EVP_PKEY_get1_DSA(pkey_iffkey);
770                     pkey = EVP_PKEY_new();
771                     EVP_PKEY_assign_DSA(pkey, dsa);
772                     PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
773                         NULL, passwd2);
774                     fflush(stdout);
775                     if (debug) {
776                               DSA_print_fp(stderr, dsa, 0);
777                     }
778                     EVP_PKEY_free(pkey);
779                     pkey = NULL;
780                     DSA_free(dsa);
781           }
782 
783           /*
784            * Create new encrypted MV trusted-authority keys file if
785            * requested; otherwise, look for existing keys file.
786            */
787           if (mvkey)
788                     pkey_mvkey = gen_mvkey("mv", pkey_mvpar);
789           if (pkey_mvkey == NULL) {
790                     snprintf(filename, sizeof(filename), "ntpkey_mvta_%s",
791                         groupname);
792                     pkey_mvkey = readkey(filename, passwd1, &fstamp,
793                         pkey_mvpar);
794                     if (pkey_mvkey != NULL) {
795                               followlink(filename, sizeof(filename));
796                               fprintf(stderr, "Using MV keys %s\n",
797                                   filename);
798                     }
799           }
800 
801           /*
802            * Write the nonencrypted MV client parameters to the stdout
803            * stream. For the moment, we always use the client parameters
804            * associated with client key 1.
805            */
806           if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) {
807                     snprintf(filename, sizeof(filename),
808                         "ntpkey_mvpar_%s.%u", groupname, fstamp);
809                     fprintf(stderr, "Writing MV parameters %s to stdout\n",
810                         filename);
811                     fprintf(stdout, "# %s\n# %s\n", filename,
812                         ctime(&epoch));
813                     pkey = pkey_mvpar[2];
814                     PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
815                         NULL, NULL);
816                     fflush(stdout);
817                     if (debug) {
818                               DSA_print_fp(stderr, EVP_PKEY_get0_DSA(pkey), 0);
819                     }
820           }
821 
822           /*
823            * Write the encrypted MV server keys to the stdout stream.
824            */
825           if (pkey_mvkey != NULL && passwd2 != NULL) {
826                     snprintf(filename, sizeof(filename),
827                         "ntpkey_mvkey_%s.%u", groupname, fstamp);
828                     fprintf(stderr, "Writing MV keys %s to stdout\n",
829                         filename);
830                     fprintf(stdout, "# %s\n# %s\n", filename,
831                         ctime(&epoch));
832                     pkey = pkey_mvpar[1];
833                     PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
834                         NULL, passwd2);
835                     fflush(stdout);
836                     if (debug) {
837                               DSA_print_fp(stderr, EVP_PKEY_get0_DSA(pkey), 0);
838                     }
839           }
840 
841           /*
842            * Decode the digest/signature scheme and create the
843            * certificate. Do this every time we run the program.
844            */
845           ectx = EVP_get_digestbyname(scheme);
846           if (ectx == NULL) {
847                     fprintf(stderr,
848                         "Invalid digest/signature combination %s\n",
849                         scheme);
850                     exit (-1);
851           }
852           x509(pkey_sign, ectx, grpkey, exten, certname);
853 #endif    /* AUTOKEY */
854           exit(0);
855 }
856 
857 
858 /*
859  * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4. Also,
860  * if OpenSSL is around, generate random SHA1 keys compatible with
861  * symmetric key cryptography.
862  */
863 int
gen_md5(const char * id)864 gen_md5(
865           const char *id                /* file name id */
866           )
867 {
868           u_char    md5key[MD5SIZE + 1];          /* MD5 key */
869           FILE      *str;
870           int       i, j;
871 #ifdef OPENSSL
872           u_char    keystr[MD5SIZE];
873           u_char    hexstr[2 * MD5SIZE + 1];
874           u_char    hex[] = "0123456789abcdef";
875 #endif    /* OPENSSL */
876 
877           str = fheader("MD5key", id, groupname);
878           for (i = 1; i <= MD5KEYS; i++) {
879                     for (j = 0; j < MD5SIZE; j++) {
880                               u_char temp;
881 
882                               while (1) {
883                                         int rc;
884 
885                                         rc = ntp_crypto_random_buf(
886                                             &temp, sizeof(temp));
887                                         if (-1 == rc) {
888                                                   fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
889                                                   exit (-1);
890                                         }
891                                         if (temp == '#')
892                                                   continue;
893 
894                                         if (temp > 0x20 && temp < 0x7f)
895                                                   break;
896                               }
897                               md5key[j] = temp;
898                     }
899                     md5key[j] = '\0';
900                     fprintf(str, "%2d MD5 %s  # MD5 key\n", i,
901                         md5key);
902           }
903 #ifdef OPENSSL
904           for (i = 1; i <= MD5KEYS; i++) {
905                     RAND_bytes(keystr, 20);
906                     for (j = 0; j < MD5SIZE; j++) {
907                               hexstr[2 * j] = hex[keystr[j] >> 4];
908                               hexstr[2 * j + 1] = hex[keystr[j] & 0xf];
909                     }
910                     hexstr[2 * MD5SIZE] = '\0';
911                     fprintf(str, "%2d SHA1 %s  # SHA1 key\n", i + MD5KEYS,
912                         hexstr);
913           }
914 #endif    /* OPENSSL */
915           fclose(str);
916           return (1);
917 }
918 
919 
920 #ifdef AUTOKEY
921 /*
922  * readkey - load cryptographic parameters and keys
923  *
924  * This routine loads a PEM-encoded file of given name and password and
925  * extracts the filestamp from the file name. It returns a pointer to
926  * the first key if valid, NULL if not.
927  */
928 EVP_PKEY *                              /* public/private key pair */
readkey(char * cp,char * passwd,u_int * estamp,EVP_PKEY ** evpars)929 readkey(
930           char      *cp,                /* file name */
931           char      *passwd,  /* password */
932           u_int     *estamp,  /* file stamp */
933           EVP_PKEY **evpars   /* parameter list pointer */
934           )
935 {
936           FILE      *str;               /* file handle */
937           EVP_PKEY *pkey = NULL;        /* public/private key */
938           u_int     gstamp;             /* filestamp */
939           char      linkname[MAXFILENAME]; /* filestamp buffer) */
940           EVP_PKEY *parkey;
941           char      *ptr;
942           int       i;
943 
944           /*
945            * Open the key file.
946            */
947           str = fopen(cp, "r");
948           if (str == NULL)
949                     return (NULL);
950 
951           /*
952            * Read the filestamp, which is contained in the first line.
953            */
954           if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
955                     fprintf(stderr, "Empty key file %s\n", cp);
956                     fclose(str);
957                     return (NULL);
958           }
959           if ((ptr = strrchr(ptr, '.')) == NULL) {
960                     fprintf(stderr, "No filestamp found in %s\n", cp);
961                     fclose(str);
962                     return (NULL);
963           }
964           if (sscanf(++ptr, "%u", &gstamp) != 1) {
965                     fprintf(stderr, "Invalid filestamp found in %s\n", cp);
966                     fclose(str);
967                     return (NULL);
968           }
969 
970           /*
971            * Read and decrypt PEM-encoded private keys. The first one
972            * found is returned. If others are expected, add them to the
973            * parameter list.
974            */
975           for (i = 0; i <= MVMAX - 1;) {
976                     parkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
977                     if (evpars != NULL) {
978                               evpars[i++] = parkey;
979                               evpars[i] = NULL;
980                     }
981                     if (parkey == NULL)
982                               break;
983 
984                     if (pkey == NULL)
985                               pkey = parkey;
986                     if (debug) {
987                               if (EVP_PKEY_base_id(parkey) == EVP_PKEY_DSA)
988                                         DSA_print_fp(stderr, EVP_PKEY_get0_DSA(parkey),
989                                             0);
990                               else if (EVP_PKEY_base_id(parkey) == EVP_PKEY_RSA)
991                                         RSA_print_fp(stderr, EVP_PKEY_get0_RSA(parkey),
992                                             0);
993                     }
994           }
995           fclose(str);
996           if (pkey == NULL) {
997                     fprintf(stderr, "Corrupt file %s or wrong key %s\n%s\n",
998                         cp, passwd, ERR_error_string(ERR_get_error(),
999                         NULL));
1000                     exit (-1);
1001           }
1002           *estamp = gstamp;
1003           return (pkey);
1004 }
1005 
1006 
1007 /*
1008  * Generate RSA public/private key pair
1009  */
1010 EVP_PKEY *                              /* public/private key pair */
gen_rsa(const char * id)1011 gen_rsa(
1012           const char *id                /* file name id */
1013           )
1014 {
1015           EVP_PKEY *pkey;               /* private key */
1016           RSA       *rsa;               /* RSA parameters and key pair */
1017           FILE      *str;
1018 
1019           fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
1020           rsa = genRsaKeyPair(modulus, _UC("RSA"));
1021           fprintf(stderr, "\n");
1022           if (rsa == NULL) {
1023                     fprintf(stderr, "RSA generate keys fails\n%s\n",
1024                         ERR_error_string(ERR_get_error(), NULL));
1025                     return (NULL);
1026           }
1027 
1028           /*
1029            * For signature encryption it is not necessary that the RSA
1030            * parameters be strictly groomed and once in a while the
1031            * modulus turns out to be non-prime. Just for grins, we check
1032            * the primality.
1033            */
1034           if (!RSA_check_key(rsa)) {
1035                     fprintf(stderr, "Invalid RSA key\n%s\n",
1036                         ERR_error_string(ERR_get_error(), NULL));
1037                     RSA_free(rsa);
1038                     return (NULL);
1039           }
1040 
1041           /*
1042            * Write the RSA parameters and keys as a RSA private key
1043            * encoded in PEM.
1044            */
1045           if (strcmp(id, "sign") == 0)
1046                     str = fheader("RSAsign", id, hostname);
1047           else
1048                     str = fheader("RSAhost", id, hostname);
1049           pkey = EVP_PKEY_new();
1050           EVP_PKEY_assign_RSA(pkey, rsa);
1051           PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1052               passwd1);
1053           fclose(str);
1054           if (debug)
1055                     RSA_print_fp(stderr, rsa, 0);
1056           return (pkey);
1057 }
1058 
1059 
1060 /*
1061  * Generate DSA public/private key pair
1062  */
1063 EVP_PKEY *                              /* public/private key pair */
gen_dsa(const char * id)1064 gen_dsa(
1065           const char *id                /* file name id */
1066           )
1067 {
1068           EVP_PKEY *pkey;               /* private key */
1069           DSA       *dsa;               /* DSA parameters */
1070           FILE      *str;
1071 
1072           /*
1073            * Generate DSA parameters.
1074            */
1075           fprintf(stderr,
1076               "Generating DSA parameters (%d bits)...\n", modulus);
1077           dsa = genDsaParams(modulus, _UC("DSA"));
1078           fprintf(stderr, "\n");
1079           if (dsa == NULL) {
1080                     fprintf(stderr, "DSA generate parameters fails\n%s\n",
1081                         ERR_error_string(ERR_get_error(), NULL));
1082                     return (NULL);
1083           }
1084 
1085           /*
1086            * Generate DSA keys.
1087            */
1088           fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
1089           if (!DSA_generate_key(dsa)) {
1090                     fprintf(stderr, "DSA generate keys fails\n%s\n",
1091                         ERR_error_string(ERR_get_error(), NULL));
1092                     DSA_free(dsa);
1093                     return (NULL);
1094           }
1095 
1096           /*
1097            * Write the DSA parameters and keys as a DSA private key
1098            * encoded in PEM.
1099            */
1100           str = fheader("DSAsign", id, hostname);
1101           pkey = EVP_PKEY_new();
1102           EVP_PKEY_assign_DSA(pkey, dsa);
1103           PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1104               passwd1);
1105           fclose(str);
1106           if (debug)
1107                     DSA_print_fp(stderr, dsa, 0);
1108           return (pkey);
1109 }
1110 
1111 
1112 /*
1113  ***********************************************************************
1114  *                                                                                     *
1115  * The following routines implement the Schnorr (IFF) identity scheme  *
1116  *                                                                                     *
1117  ***********************************************************************
1118  *
1119  * The Schnorr (IFF) identity scheme is intended for use when
1120  * certificates are generated by some other trusted certificate
1121  * authority and the certificate cannot be used to convey public
1122  * parameters. There are two kinds of files: encrypted server files that
1123  * contain private and public values and nonencrypted client files that
1124  * contain only public values. New generations of server files must be
1125  * securely transmitted to all servers of the group; client files can be
1126  * distributed by any means. The scheme is self contained and
1127  * independent of new generations of host keys, sign keys and
1128  * certificates.
1129  *
1130  * The IFF values hide in a DSA cuckoo structure which uses the same
1131  * parameters. The values are used by an identity scheme based on DSA
1132  * cryptography and described in Stimson p. 285. The p is a 512-bit
1133  * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
1134  * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
1135  * private random group key b (0 < b < q) and public key v = g^b, then
1136  * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients.
1137  * Alice challenges Bob to confirm identity using the protocol described
1138  * below.
1139  *
1140  * How it works
1141  *
1142  * The scheme goes like this. Both Alice and Bob have the public primes
1143  * p, q and generator g. The TA gives private key b to Bob and public
1144  * key v to Alice.
1145  *
1146  * Alice rolls new random challenge r (o < r < q) and sends to Bob in
1147  * the IFF request message. Bob rolls new random k (0 < k < q), then
1148  * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x))
1149  * to Alice in the response message. Besides making the response
1150  * shorter, the hash makes it effectivey impossible for an intruder to
1151  * solve for b by observing a number of these messages.
1152  *
1153  * Alice receives the response and computes g^y v^r mod p. After a bit
1154  * of algebra, this simplifies to g^k. If the hash of this result
1155  * matches hash(x), Alice knows that Bob has the group key b. The signed
1156  * response binds this knowledge to Bob's private key and the public key
1157  * previously received in his certificate.
1158  */
1159 /*
1160  * Generate Schnorr (IFF) keys.
1161  */
1162 EVP_PKEY *                              /* DSA cuckoo nest */
gen_iffkey(const char * id)1163 gen_iffkey(
1164           const char *id                /* file name id */
1165           )
1166 {
1167           EVP_PKEY *pkey;               /* private key */
1168           DSA       *dsa;               /* DSA parameters */
1169           BN_CTX    *ctx;               /* BN working space */
1170           BIGNUM    *b, *r, *k, *u, *v, *w; /* BN temp */
1171           FILE      *str;
1172           u_int     temp;
1173           const BIGNUM *p, *q, *g;
1174           BIGNUM *pub_key, *priv_key;
1175 
1176           /*
1177            * Generate DSA parameters for use as IFF parameters.
1178            */
1179           fprintf(stderr, "Generating IFF keys (%d bits)...\n",
1180               modulus2);
1181           dsa = genDsaParams(modulus2, _UC("IFF"));
1182           fprintf(stderr, "\n");
1183           if (dsa == NULL) {
1184                     fprintf(stderr, "DSA generate parameters fails\n%s\n",
1185                         ERR_error_string(ERR_get_error(), NULL));
1186                     return (NULL);
1187           }
1188           DSA_get0_pqg(dsa, &p, &q, &g);
1189 
1190           /*
1191            * Generate the private and public keys. The DSA parameters and
1192            * private key are distributed to the servers, while all except
1193            * the private key are distributed to the clients.
1194            */
1195           b = BN_new(); r = BN_new(); k = BN_new();
1196           u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
1197           BN_rand(b, BN_num_bits(q), -1, 0);      /* a */
1198           BN_mod(b, b, q, ctx);
1199           BN_sub(v, q, b);
1200           BN_mod_exp(v, g, v, p, ctx); /* g^(q - b) mod p */
1201           BN_mod_exp(u, g, b, p, ctx);  /* g^b mod p */
1202           BN_mod_mul(u, u, v, p, ctx);
1203           temp = BN_is_one(u);
1204           fprintf(stderr,
1205               "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
1206               "yes" : "no");
1207           if (!temp) {
1208                     BN_free(b); BN_free(r); BN_free(k);
1209                     BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1210                     return (NULL);
1211           }
1212           pub_key = BN_dup(v);
1213           priv_key = BN_dup(b);
1214           DSA_set0_key(dsa, pub_key, priv_key);
1215 
1216           /*
1217            * Here is a trial round of the protocol. First, Alice rolls
1218            * random nonce r mod q and sends it to Bob. She needs only
1219            * q from parameters.
1220            */
1221           BN_rand(r, BN_num_bits(q), -1, 0);      /* r */
1222           BN_mod(r, r, q, ctx);
1223 
1224           /*
1225            * Bob rolls random nonce k mod q, computes y = k + b r mod q
1226            * and x = g^k mod p, then sends (y, x) to Alice. He needs
1227            * p, q and b from parameters and r from Alice.
1228            */
1229           BN_rand(k, BN_num_bits(q), -1, 0);      /* k, 0 < k < q  */
1230           BN_mod(k, k, q, ctx);
1231           BN_mod_mul(v, priv_key, r, q, ctx); /* b r mod q */
1232           BN_add(v, v, k);
1233           BN_mod(v, v, q, ctx);                   /* y = k + b r mod q */
1234           BN_mod_exp(u, g, k, p, ctx);  /* x = g^k mod p */
1235 
1236           /*
1237            * Alice verifies x = g^y v^r to confirm that Bob has group key
1238            * b. She needs p, q, g from parameters, (y, x) from Bob and the
1239            * original r. We omit the detail here thatt only the hash of y
1240            * is sent.
1241            */
1242           BN_mod_exp(v, g, v, p, ctx); /* g^y mod p */
1243           BN_mod_exp(w, pub_key, r, p, ctx); /* v^r */
1244           BN_mod_mul(v, w, v, p, ctx);  /* product mod p */
1245           temp = BN_cmp(u, v);
1246           fprintf(stderr,
1247               "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
1248               0 ? "yes" : "no");
1249           BN_free(b); BN_free(r);       BN_free(k);
1250           BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1251           if (temp != 0) {
1252                     DSA_free(dsa);
1253                     return (NULL);
1254           }
1255 
1256           /*
1257            * Write the IFF keys as an encrypted DSA private key encoded in
1258            * PEM.
1259            *
1260            * p      modulus p
1261            * q      modulus q
1262            * g      generator g
1263            * priv_key b
1264            * public_key v
1265            * kinv   not used
1266            * r      not used
1267            */
1268           str = fheader("IFFkey", id, groupname);
1269           pkey = EVP_PKEY_new();
1270           EVP_PKEY_assign_DSA(pkey, dsa);
1271           PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1272               passwd1);
1273           fclose(str);
1274           if (debug)
1275                     DSA_print_fp(stderr, dsa, 0);
1276           return (pkey);
1277 }
1278 
1279 
1280 /*
1281  ***********************************************************************
1282  *                                                                                     *
1283  * The following routines implement the Guillou-Quisquater (GQ)        *
1284  * identity scheme                                                     *
1285  *                                                                                     *
1286  ***********************************************************************
1287  *
1288  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
1289  * the certificate can be used to convey public parameters. The scheme
1290  * uses a X509v3 certificate extension field do convey the public key of
1291  * a private key known only to servers. There are two kinds of files:
1292  * encrypted server files that contain private and public values and
1293  * nonencrypted client files that contain only public values. New
1294  * generations of server files must be securely transmitted to all
1295  * servers of the group; client files can be distributed by any means.
1296  * The scheme is self contained and independent of new generations of
1297  * host keys and sign keys. The scheme is self contained and independent
1298  * of new generations of host keys and sign keys.
1299  *
1300  * The GQ parameters hide in a RSA cuckoo structure which uses the same
1301  * parameters. The values are used by an identity scheme based on RSA
1302  * cryptography and described in Stimson p. 300 (with errors). The 512-
1303  * bit public modulus is n = p q, where p and q are secret large primes.
1304  * The TA rolls private random group key b as RSA exponent. These values
1305  * are known to all group members.
1306  *
1307  * When rolling new certificates, a server recomputes the private and
1308  * public keys. The private key u is a random roll, while the public key
1309  * is the inverse obscured by the group key v = (u^-1)^b. These values
1310  * replace the private and public keys normally generated by the RSA
1311  * scheme. Alice challenges Bob to confirm identity using the protocol
1312  * described below.
1313  *
1314  * How it works
1315  *
1316  * The scheme goes like this. Both Alice and Bob have the same modulus n
1317  * and some random b as the group key. These values are computed and
1318  * distributed in advance via secret means, although only the group key
1319  * b is truly secret. Each has a private random private key u and public
1320  * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
1321  * can regenerate the key pair from time to time without affecting
1322  * operations. The public key is conveyed on the certificate in an
1323  * extension field; the private key is never revealed.
1324  *
1325  * Alice rolls new random challenge r and sends to Bob in the GQ
1326  * request message. Bob rolls new random k, then computes y = k u^r mod
1327  * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
1328  * message. Besides making the response shorter, the hash makes it
1329  * effectivey impossible for an intruder to solve for b by observing
1330  * a number of these messages.
1331  *
1332  * Alice receives the response and computes y^b v^r mod n. After a bit
1333  * of algebra, this simplifies to k^b. If the hash of this result
1334  * matches hash(x), Alice knows that Bob has the group key b. The signed
1335  * response binds this knowledge to Bob's private key and the public key
1336  * previously received in his certificate.
1337  */
1338 /*
1339  * Generate Guillou-Quisquater (GQ) parameters file.
1340  */
1341 EVP_PKEY *                              /* RSA cuckoo nest */
gen_gqkey(const char * id)1342 gen_gqkey(
1343           const char *id                /* file name id */
1344           )
1345 {
1346           EVP_PKEY *pkey;               /* private key */
1347           RSA       *rsa;               /* RSA parameters */
1348           BN_CTX    *ctx;               /* BN working space */
1349           BIGNUM    *u, *v, *g, *k, *r, *y; /* BN temps */
1350           FILE      *str;
1351           u_int     temp;
1352           BIGNUM    *b;
1353           const BIGNUM        *n;
1354 
1355           /*
1356            * Generate RSA parameters for use as GQ parameters.
1357            */
1358           fprintf(stderr,
1359               "Generating GQ parameters (%d bits)...\n",
1360                modulus2);
1361           rsa = genRsaKeyPair(modulus2, _UC("GQ"));
1362           fprintf(stderr, "\n");
1363           if (rsa == NULL) {
1364                     fprintf(stderr, "RSA generate keys fails\n%s\n",
1365                         ERR_error_string(ERR_get_error(), NULL));
1366                     return (NULL);
1367           }
1368           RSA_get0_key(rsa, &n, NULL, NULL);
1369           u = BN_new(); v = BN_new(); g = BN_new();
1370           k = BN_new(); r = BN_new(); y = BN_new();
1371           b = BN_new();
1372 
1373           /*
1374            * Generate the group key b, which is saved in the e member of
1375            * the RSA structure. The group key is transmitted to each group
1376            * member encrypted by the member private key.
1377            */
1378           ctx = BN_CTX_new();
1379           BN_rand(b, BN_num_bits(n), -1, 0); /* b */
1380           BN_mod(b, b, n, ctx);
1381 
1382           /*
1383            * When generating his certificate, Bob rolls random private key
1384            * u, then computes inverse v = u^-1.
1385            */
1386           BN_rand(u, BN_num_bits(n), -1, 0); /* u */
1387           BN_mod(u, u, n, ctx);
1388           BN_mod_inverse(v, u, n, ctx); /* u^-1 mod n */
1389           BN_mod_mul(k, v, u, n, ctx);
1390 
1391           /*
1392            * Bob computes public key v = (u^-1)^b, which is saved in an
1393            * extension field on his certificate. We check that u^b v =
1394            * 1 mod n.
1395            */
1396           BN_mod_exp(v, v, b, n, ctx);
1397           BN_mod_exp(g, u, b, n, ctx); /* u^b */
1398           BN_mod_mul(g, g, v, n, ctx); /* u^b (u^-1)^b */
1399           temp = BN_is_one(g);
1400           fprintf(stderr,
1401               "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
1402               "no");
1403           if (!temp) {
1404                     BN_free(u); BN_free(v);
1405                     BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1406                     BN_CTX_free(ctx);
1407                     RSA_free(rsa);
1408                     return (NULL);
1409           }
1410           /* setting 'u' and 'v' into a RSA object takes over ownership.
1411            * Since we use these values again, we have to pass in dupes,
1412            * or we'll corrupt the program!
1413            */
1414           RSA_set0_factors(rsa, BN_dup(u), BN_dup(v));
1415 
1416           /*
1417            * Here is a trial run of the protocol. First, Alice rolls
1418            * random nonce r mod n and sends it to Bob. She needs only n
1419            * from parameters.
1420            */
1421           BN_rand(r, BN_num_bits(n), -1, 0);      /* r */
1422           BN_mod(r, r, n, ctx);
1423 
1424           /*
1425            * Bob rolls random nonce k mod n, computes y = k u^r mod n and
1426            * g = k^b mod n, then sends (y, g) to Alice. He needs n, u, b
1427            * from parameters and r from Alice.
1428            */
1429           BN_rand(k, BN_num_bits(n), -1, 0);      /* k */
1430           BN_mod(k, k, n, ctx);
1431           BN_mod_exp(y, u, r, n, ctx);  /* u^r mod n */
1432           BN_mod_mul(y, k, y, n, ctx);  /* y = k u^r mod n */
1433           BN_mod_exp(g, k, b, n, ctx);  /* g = k^b mod n */
1434 
1435           /*
1436            * Alice verifies g = v^r y^b mod n to confirm that Bob has
1437            * private key u. She needs n, g from parameters, public key v =
1438            * (u^-1)^b from the certificate, (y, g) from Bob and the
1439            * original r. We omit the detaul here that only the hash of g
1440            * is sent.
1441            */
1442           BN_mod_exp(v, v, r, n, ctx);  /* v^r mod n */
1443           BN_mod_exp(y, y, b, n, ctx);  /* y^b mod n */
1444           BN_mod_mul(y, v, y, n, ctx);  /* v^r y^b mod n */
1445           temp = BN_cmp(y, g);
1446           fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
1447               "yes" : "no");
1448           BN_CTX_free(ctx); BN_free(u); BN_free(v);
1449           BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1450           if (temp != 0) {
1451                     RSA_free(rsa);
1452                     return (NULL);
1453           }
1454 
1455           /*
1456            * Write the GQ parameter file as an encrypted RSA private key
1457            * encoded in PEM.
1458            *
1459            * n      modulus n
1460            * e      group key b
1461            * d      not used
1462            * p      private key u
1463            * q      public key (u^-1)^b
1464            * dmp1   not used
1465            * dmq1   not used
1466            * iqmp   not used
1467            */
1468           RSA_set0_key(rsa, NULL, b, BN_dup(BN_value_one()));
1469           RSA_set0_crt_params(rsa, BN_dup(BN_value_one()), BN_dup(BN_value_one()),
1470                     BN_dup(BN_value_one()));
1471           str = fheader("GQkey", id, groupname);
1472           pkey = EVP_PKEY_new();
1473           EVP_PKEY_assign_RSA(pkey, rsa);
1474           PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1475               passwd1);
1476           fclose(str);
1477           if (debug)
1478                     RSA_print_fp(stderr, rsa, 0);
1479           return (pkey);
1480 }
1481 
1482 
1483 /*
1484  ***********************************************************************
1485  *                                                                                     *
1486  * The following routines implement the Mu-Varadharajan (MV) identity  *
1487  * scheme                                                              *
1488  *                                                                                     *
1489  ***********************************************************************
1490  *
1491  * The Mu-Varadharajan (MV) cryptosystem was originally intended when
1492  * servers broadcast messages to clients, but clients never send
1493  * messages to servers. There is one encryption key for the server and a
1494  * separate decryption key for each client. It operated something like a
1495  * pay-per-view satellite broadcasting system where the session key is
1496  * encrypted by the broadcaster and the decryption keys are held in a
1497  * tamperproof set-top box.
1498  *
1499  * The MV parameters and private encryption key hide in a DSA cuckoo
1500  * structure which uses the same parameters, but generated in a
1501  * different way. The values are used in an encryption scheme similar to
1502  * El Gamal cryptography and a polynomial formed from the expansion of
1503  * product terms (x - x[j]), as described in Mu, Y., and V.
1504  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
1505  * 223-231. The paper has significant errors and serious omissions.
1506  *
1507  * Let q be the product of n distinct primes s1[j] (j = 1...n), where
1508  * each s1[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
1509  * that q and each s1[j] divide p - 1 and p has M = n * m + 1
1510  * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
1511  * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
1512  * project into Zp* as exponents of g. Sometimes we have to compute an
1513  * inverse b^-1 of random b in Zq, but for that purpose we require
1514  * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
1515  * relatively small, like 30. These are the parameters of the scheme and
1516  * they are expensive to compute.
1517  *
1518  * We set up an instance of the scheme as follows. A set of random
1519  * values x[j] mod q (j = 1...n), are generated as the zeros of a
1520  * polynomial of order n. The product terms (x - x[j]) are expanded to
1521  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
1522  * used as exponents of the generator g mod p to generate the private
1523  * encryption key A. The pair (gbar, ghat) of public server keys and the
1524  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
1525  * to construct the decryption keys. The devil is in the details.
1526  *
1527  * This routine generates a private server encryption file including the
1528  * private encryption key E and partial decryption keys gbar and ghat.
1529  * It then generates public client decryption files including the public
1530  * keys xbar[j] and xhat[j] for each client j. The partial decryption
1531  * files are used to compute the inverse of E. These values are suitably
1532  * blinded so secrets are not revealed.
1533  *
1534  * The distinguishing characteristic of this scheme is the capability to
1535  * revoke keys. Included in the calculation of E, gbar and ghat is the
1536  * product s = prod(s1[j]) (j = 1...n) above. If the factor s1[j] is
1537  * subsequently removed from the product and E, gbar and ghat
1538  * recomputed, the jth client will no longer be able to compute E^-1 and
1539  * thus unable to decrypt the messageblock.
1540  *
1541  * How it works
1542  *
1543  * The scheme goes like this. Bob has the server values (p, E, q,
1544  * gbar, ghat) and Alice has the client values (p, xbar, xhat).
1545  *
1546  * Alice rolls new random nonce r mod p and sends to Bob in the MV
1547  * request message. Bob rolls random nonce k mod q, encrypts y = r E^k
1548  * mod p and sends (y, gbar^k, ghat^k) to Alice.
1549  *
1550  * Alice receives the response and computes the inverse (E^k)^-1 from
1551  * the partial decryption keys gbar^k, ghat^k, xbar and xhat. She then
1552  * decrypts y and verifies it matches the original r. The signed
1553  * response binds this knowledge to Bob's private key and the public key
1554  * previously received in his certificate.
1555  */
1556 EVP_PKEY *                              /* DSA cuckoo nest */
gen_mvkey(const char * id,EVP_PKEY ** evpars)1557 gen_mvkey(
1558           const char *id,               /* file name id */
1559           EVP_PKEY **evpars   /* parameter list pointer */
1560           )
1561 {
1562           EVP_PKEY *pkey, *pkey1;       /* private keys */
1563           DSA       *dsa, *dsa2, *sdsa; /* DSA parameters */
1564           BN_CTX    *ctx;               /* BN working space */
1565           BIGNUM    *a[MVMAX];          /* polynomial coefficient vector */
1566           BIGNUM    *gs[MVMAX];         /* public key vector */
1567           BIGNUM    *s1[MVMAX];         /* private enabling keys */
1568           BIGNUM    *x[MVMAX];          /* polynomial zeros vector */
1569           BIGNUM    *xbar[MVMAX], *xhat[MVMAX]; /* private keys vector */
1570           BIGNUM    *b;                 /* group key */
1571           BIGNUM    *b1;                /* inverse group key */
1572           BIGNUM    *s;                 /* enabling key */
1573           BIGNUM    *biga;              /* master encryption key */
1574           BIGNUM    *bige;              /* session encryption key */
1575           BIGNUM    *gbar, *ghat;       /* public key */
1576           BIGNUM    *u, *v, *w;         /* BN scratch */
1577           BIGNUM    *p, *q, *g, *priv_key, *pub_key;
1578           int       i, j, n;
1579           FILE      *str;
1580           u_int     temp;
1581 
1582           /*
1583            * Generate MV parameters.
1584            *
1585            * The object is to generate a multiplicative group Zp* modulo a
1586            * prime p and a subset Zq mod q, where q is the product of n
1587            * distinct primes s1[j] (j = 1...n) and q divides p - 1. We
1588            * first generate n m-bit primes, where the product n m is in
1589            * the order of 512 bits. One or more of these may have to be
1590            * replaced later. As a practical matter, it is tough to find
1591            * more than 31 distinct primes for 512 bits or 61 primes for
1592            * 1024 bits. The latter can take several hundred iterations
1593            * and several minutes on a Sun Blade 1000.
1594            */
1595           n = nkeys;
1596           fprintf(stderr,
1597               "Generating MV parameters for %d keys (%d bits)...\n", n,
1598               modulus2 / n);
1599           ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
1600           b = BN_new(); b1 = BN_new();
1601           dsa = DSA_new();
1602           p = BN_new(); q = BN_new(); g = BN_new();
1603           priv_key = BN_new(); pub_key = BN_new();
1604           temp = 0;
1605           for (j = 1; j <= n; j++) {
1606                     s1[j] = BN_new();
1607                     while (1) {
1608                               BN_generate_prime_ex(s1[j], modulus2 / n, 0,
1609                                                        NULL, NULL, NULL);
1610                               for (i = 1; i < j; i++) {
1611                                         if (BN_cmp(s1[i], s1[j]) == 0)
1612                                                   break;
1613                               }
1614                               if (i == j)
1615                                         break;
1616                               temp++;
1617                     }
1618           }
1619           fprintf(stderr, "Birthday keys regenerated %d\n", temp);
1620 
1621           /*
1622            * Compute the modulus q as the product of the primes. Compute
1623            * the modulus p as 2 * q + 1 and test p for primality. If p
1624            * is composite, replace one of the primes with a new distinct
1625            * one and try again. Note that q will hardly be a secret since
1626            * we have to reveal p to servers, but not clients. However,
1627            * factoring q to find the primes should be adequately hard, as
1628            * this is the same problem considered hard in RSA. Question: is
1629            * it as hard to find n small prime factors totalling n bits as
1630            * it is to find two large prime factors totalling n bits?
1631            * Remember, the bad guy doesn't know n.
1632            */
1633           temp = 0;
1634           while (1) {
1635                     BN_one(q);
1636                     for (j = 1; j <= n; j++)
1637                               BN_mul(q, q, s1[j], ctx);
1638                     BN_copy(p, q);
1639                     BN_add(p, p, p);
1640                     BN_add_word(p, 1);
1641                     if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
1642                               break;
1643 
1644                     temp++;
1645                     j = temp % n + 1;
1646                     while (1) {
1647                               BN_generate_prime_ex(u, modulus2 / n, 0,
1648                                                        NULL, NULL, NULL);
1649                               for (i = 1; i <= n; i++) {
1650                                         if (BN_cmp(u, s1[i]) == 0)
1651                                                   break;
1652                               }
1653                               if (i > n)
1654                                         break;
1655                     }
1656                     BN_copy(s1[j], u);
1657           }
1658           fprintf(stderr, "Defective keys regenerated %d\n", temp);
1659 
1660           /*
1661            * Compute the generator g using a random roll such that
1662            * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
1663            * q. This may take several iterations.
1664            */
1665           BN_copy(v, p);
1666           BN_sub_word(v, 1);
1667           while (1) {
1668                     BN_rand(g, BN_num_bits(p) - 1, 0, 0);
1669                     BN_mod(g, g, p, ctx);
1670                     BN_gcd(u, g, v, ctx);
1671                     if (!BN_is_one(u))
1672                               continue;
1673 
1674                     BN_mod_exp(u, g, q, p, ctx);
1675                     if (BN_is_one(u))
1676                               break;
1677           }
1678 
1679           DSA_set0_pqg(dsa, p, q, g);
1680 
1681           /*
1682            * Setup is now complete. Roll random polynomial roots x[j]
1683            * (j = 1...n) for all j. While it may not be strictly
1684            * necessary, Make sure each root has no factors in common with
1685            * q.
1686            */
1687           fprintf(stderr,
1688               "Generating polynomial coefficients for %d roots (%d bits)\n",
1689               n, BN_num_bits(q));
1690           for (j = 1; j <= n; j++) {
1691                     x[j] = BN_new();
1692 
1693                     while (1) {
1694                               BN_rand(x[j], BN_num_bits(q), 0, 0);
1695                               BN_mod(x[j], x[j], q, ctx);
1696                               BN_gcd(u, x[j], q, ctx);
1697                               if (BN_is_one(u))
1698                                         break;
1699                     }
1700           }
1701 
1702           /*
1703            * Generate polynomial coefficients a[i] (i = 0...n) from the
1704            * expansion of root products (x - x[j]) mod q for all j. The
1705            * method is a present from Charlie Boncelet.
1706            */
1707           for (i = 0; i <= n; i++) {
1708                     a[i] = BN_new();
1709                     BN_one(a[i]);
1710           }
1711           for (j = 1; j <= n; j++) {
1712                     BN_zero(w);
1713                     for (i = 0; i < j; i++) {
1714                               BN_copy(u, q);
1715                               BN_mod_mul(v, a[i], x[j], q, ctx);
1716                               BN_sub(u, u, v);
1717                               BN_add(u, u, w);
1718                               BN_copy(w, a[i]);
1719                               BN_mod(a[i], u, q, ctx);
1720                     }
1721           }
1722 
1723           /*
1724            * Generate gs[i] = g^a[i] mod p for all i and the generator g.
1725            */
1726           for (i = 0; i <= n; i++) {
1727                     gs[i] = BN_new();
1728                     BN_mod_exp(gs[i], g, a[i], p, ctx);
1729           }
1730 
1731           /*
1732            * Verify prod(gs[i]^(a[i] x[j]^i)) = 1 for all i, j. Note the
1733            * a[i] x[j]^i exponent is computed mod q, but the gs[i] is
1734            * computed mod p. also note the expression given in the paper
1735            * is incorrect.
1736            */
1737           temp = 1;
1738           for (j = 1; j <= n; j++) {
1739                     BN_one(u);
1740                     for (i = 0; i <= n; i++) {
1741                               BN_set_word(v, i);
1742                               BN_mod_exp(v, x[j], v, q, ctx);
1743                               BN_mod_mul(v, v, a[i], q, ctx);
1744                               BN_mod_exp(v, g, v, p, ctx);
1745                               BN_mod_mul(u, u, v, p, ctx);
1746                     }
1747                     if (!BN_is_one(u))
1748                               temp = 0;
1749           }
1750           fprintf(stderr,
1751               "Confirm prod(gs[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
1752               "yes" : "no");
1753           if (!temp) {
1754                     return (NULL);
1755           }
1756 
1757           /*
1758            * Make private encryption key A. Keep it around for awhile,
1759            * since it is expensive to compute.
1760            */
1761           biga = BN_new();
1762 
1763           BN_one(biga);
1764           for (j = 1; j <= n; j++) {
1765                     for (i = 0; i < n; i++) {
1766                               BN_set_word(v, i);
1767                               BN_mod_exp(v, x[j], v, q, ctx);
1768                               BN_mod_exp(v, gs[i], v, p, ctx);
1769                               BN_mod_mul(biga, biga, v, p, ctx);
1770                     }
1771           }
1772 
1773           /*
1774            * Roll private random group key b mod q (0 < b < q), where
1775            * gcd(b, q) = 1 to guarantee b^-1 exists, then compute b^-1
1776            * mod q. If b is changed, the client keys must be recomputed.
1777            */
1778           while (1) {
1779                     BN_rand(b, BN_num_bits(q), 0, 0);
1780                     BN_mod(b, b, q, ctx);
1781                     BN_gcd(u, b, q, ctx);
1782                     if (BN_is_one(u))
1783                               break;
1784           }
1785           BN_mod_inverse(b1, b, q, ctx);
1786 
1787           /*
1788            * Make private client keys (xbar[j], xhat[j]) for all j. Note
1789            * that the keys for the jth client do not s1[j] or the product
1790            * s1[j]) (j = 1...n) which is q by construction.
1791            *
1792            * Compute the factor w such that w s1[j] = s1[j] for all j. The
1793            * easy way to do this is to compute (q + s1[j]) / s1[j].
1794            * Exercise for the student: prove the remainder is always zero.
1795            */
1796           for (j = 1; j <= n; j++) {
1797                     xbar[j] = BN_new(); xhat[j] = BN_new();
1798 
1799                     BN_add(w, q, s1[j]);
1800                     BN_div(w, u, w, s1[j], ctx);
1801                     BN_zero(xbar[j]);
1802                     BN_set_word(v, n);
1803                     for (i = 1; i <= n; i++) {
1804                               if (i == j)
1805                                         continue;
1806 
1807                               BN_mod_exp(u, x[i], v, q, ctx);
1808                               BN_add(xbar[j], xbar[j], u);
1809                     }
1810                     BN_mod_mul(xbar[j], xbar[j], b1, q, ctx);
1811                     BN_mod_exp(xhat[j], x[j], v, q, ctx);
1812                     BN_mod_mul(xhat[j], xhat[j], w, q, ctx);
1813           }
1814 
1815           /*
1816            * We revoke client j by dividing q by s1[j]. The quotient
1817            * becomes the enabling key s. Note we always have to revoke
1818            * one key; otherwise, the plaintext and cryptotext would be
1819            * identical. For the present there are no provisions to revoke
1820            * additional keys, so we sail on with only token revocations.
1821            */
1822           s = BN_new();
1823           BN_copy(s, q);
1824           BN_div(s, u, s, s1[n], ctx);
1825 
1826           /*
1827            * For each combination of clients to be revoked, make private
1828            * encryption key E = A^s and partial decryption keys gbar = g^s
1829            * and ghat = g^(s b), all mod p. The servers use these keys to
1830            * compute the session encryption key and partial decryption
1831            * keys. These values must be regenerated if the enabling key is
1832            * changed.
1833            */
1834           bige = BN_new(); gbar = BN_new(); ghat = BN_new();
1835           BN_mod_exp(bige, biga, s, p, ctx);
1836           BN_mod_exp(gbar, g, s, p, ctx);
1837           BN_mod_mul(v, s, b, q, ctx);
1838           BN_mod_exp(ghat, g, v, p, ctx);
1839 
1840           /*
1841            * Notes: We produce the key media in three steps. The first
1842            * step is to generate the system parameters p, q, g, b, A and
1843            * the enabling keys s1[j]. Associated with each s1[j] are
1844            * parameters xbar[j] and xhat[j]. All of these parameters are
1845            * retained in a data structure protecteted by the trusted-agent
1846            * password. The p, xbar[j] and xhat[j] paremeters are
1847            * distributed to the j clients. When the client keys are to be
1848            * activated, the enabled keys are multipied together to form
1849            * the master enabling key s. This and the other parameters are
1850            * used to compute the server encryption key E and the partial
1851            * decryption keys gbar and ghat.
1852            *
1853            * In the identity exchange the client rolls random r and sends
1854            * it to the server. The server rolls random k, which is used
1855            * only once, then computes the session key E^k and partial
1856            * decryption keys gbar^k and ghat^k. The server sends the
1857            * encrypted r along with gbar^k and ghat^k to the client. The
1858            * client completes the decryption and verifies it matches r.
1859            */
1860           /*
1861            * Write the MV trusted-agent parameters and keys as a DSA
1862            * private key encoded in PEM.
1863            *
1864            * p      modulus p
1865            * q      modulus q
1866            * g      generator g
1867            * priv_key A mod p
1868            * pub_key b mod q
1869            * (remaining values are not used)
1870            */
1871           i = 0;
1872           str = fheader("MVta", "mvta", groupname);
1873           fprintf(stderr, "Generating MV trusted-authority keys\n");
1874           BN_copy(priv_key, biga);
1875           BN_copy(pub_key, b);
1876           DSA_set0_key(dsa, pub_key, priv_key);
1877           pkey = EVP_PKEY_new();
1878           EVP_PKEY_assign_DSA(pkey, dsa);
1879           PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1880               passwd1);
1881           evpars[i++] = pkey;
1882           if (debug)
1883                     DSA_print_fp(stderr, dsa, 0);
1884 
1885           /*
1886            * Append the MV server parameters and keys as a DSA key encoded
1887            * in PEM.
1888            *
1889            * p      modulus p
1890            * q      modulus q (used only when generating k)
1891            * g      bige
1892            * priv_key gbar
1893            * pub_key ghat
1894            * (remaining values are not used)
1895            */
1896           fprintf(stderr, "Generating MV server keys\n");
1897           dsa2 = DSA_new();
1898           DSA_set0_pqg(dsa2, BN_dup(p), BN_dup(q), BN_dup(bige));
1899           DSA_set0_key(dsa2, BN_dup(ghat), BN_dup(gbar));
1900           pkey1 = EVP_PKEY_new();
1901           EVP_PKEY_assign_DSA(pkey1, dsa2);
1902           PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0, NULL,
1903               passwd1);
1904           evpars[i++] = pkey1;
1905           if (debug)
1906                     DSA_print_fp(stderr, dsa2, 0);
1907 
1908           /*
1909            * Append the MV client parameters for each client j as DSA keys
1910            * encoded in PEM.
1911            *
1912            * p      modulus p
1913            * priv_key xbar[j] mod q
1914            * pub_key xhat[j] mod q
1915            * (remaining values are not used)
1916            */
1917           fprintf(stderr, "Generating %d MV client keys\n", n);
1918           for (j = 1; j <= n; j++) {
1919                     sdsa = DSA_new();
1920                     DSA_set0_pqg(sdsa, BN_dup(p), BN_dup(BN_value_one()),
1921                               BN_dup(BN_value_one()));
1922                     DSA_set0_key(sdsa, BN_dup(xhat[j]), BN_dup(xbar[j]));
1923                     pkey1 = EVP_PKEY_new();
1924                     EVP_PKEY_set1_DSA(pkey1, sdsa);
1925                     PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0,
1926                         NULL, passwd1);
1927                     evpars[i++] = pkey1;
1928                     if (debug)
1929                               DSA_print_fp(stderr, sdsa, 0);
1930 
1931                     /*
1932                      * The product (gbar^k)^xbar[j] (ghat^k)^xhat[j] and E
1933                      * are inverses of each other. We check that the product
1934                      * is one for each client except the ones that have been
1935                      * revoked.
1936                      */
1937                     BN_mod_exp(v, gbar, xhat[j], p, ctx);
1938                     BN_mod_exp(u, ghat, xbar[j], p, ctx);
1939                     BN_mod_mul(u, u, v, p, ctx);
1940                     BN_mod_mul(u, u, bige, p, ctx);
1941                     if (!BN_is_one(u)) {
1942                               fprintf(stderr, "Revoke key %d\n", j);
1943                               continue;
1944                     }
1945           }
1946           evpars[i++] = NULL;
1947           fclose(str);
1948 
1949           /*
1950            * Free the countries.
1951            */
1952           for (i = 0; i <= n; i++) {
1953                     BN_free(a[i]); BN_free(gs[i]);
1954           }
1955           for (j = 1; j <= n; j++) {
1956                     BN_free(x[j]); BN_free(xbar[j]); BN_free(xhat[j]);
1957                     BN_free(s1[j]);
1958           }
1959           return (pkey);
1960 }
1961 
1962 
1963 /*
1964  * Generate X509v3 certificate.
1965  *
1966  * The certificate consists of the version number, serial number,
1967  * validity interval, issuer name, subject name and public key. For a
1968  * self-signed certificate, the issuer name is the same as the subject
1969  * name and these items are signed using the subject private key. The
1970  * validity interval extends from the current time to the same time one
1971  * year hence. For NTP purposes, it is convenient to use the NTP seconds
1972  * of the current time as the serial number.
1973  */
1974 int
x509(EVP_PKEY * pkey,const EVP_MD * md,char * gqpub,const char * exten,char * name)1975 x509      (
1976           EVP_PKEY *pkey,               /* signing key */
1977           const EVP_MD *md,   /* signature/digest scheme */
1978           char      *gqpub,             /* identity extension (hex string) */
1979           const char *exten,  /* private cert extension */
1980           char      *name               /* subject/issuer name */
1981           )
1982 {
1983           X509      *cert;              /* X509 certificate */
1984           X509_NAME *subj;    /* distinguished (common) name */
1985           X509_EXTENSION *ex; /* X509v3 extension */
1986           FILE      *str;               /* file handle */
1987           ASN1_INTEGER *serial;         /* serial number */
1988           const char *id;               /* digest/signature scheme name */
1989           char      pathbuf[MAXFILENAME + 1];
1990 
1991           /*
1992            * Generate X509 self-signed certificate.
1993            *
1994            * Set the certificate serial to the NTP seconds for grins. Set
1995            * the version to 3. Set the initial validity to the current
1996            * time and the finalvalidity one year hence.
1997            */
1998           id = OBJ_nid2sn(EVP_MD_pkey_type(md));
1999           fprintf(stderr, "Generating new certificate %s %s\n", name, id);
2000           cert = X509_new();
2001           X509_set_version(cert, 2L);
2002           serial = ASN1_INTEGER_new();
2003           ASN1_INTEGER_set(serial, (long)epoch + JAN_1970);
2004           X509_set_serialNumber(cert, serial);
2005           ASN1_INTEGER_free(serial);
2006           X509_time_adj(X509_getm_notBefore(cert), 0L, &epoch);
2007           X509_time_adj(X509_getm_notAfter(cert), lifetime * SECSPERDAY, &epoch);
2008           subj = X509_get_subject_name(cert);
2009           X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
2010               (u_char *)name, -1, -1, 0);
2011           subj = X509_get_issuer_name(cert);
2012           X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
2013               (u_char *)name, -1, -1, 0);
2014           if (!X509_set_pubkey(cert, pkey)) {
2015                     fprintf(stderr, "Assign certificate signing key fails\n%s\n",
2016                         ERR_error_string(ERR_get_error(), NULL));
2017                     X509_free(cert);
2018                     return (0);
2019           }
2020 
2021           /*
2022            * Add X509v3 extensions if present. These represent the minimum
2023            * set defined in RFC3280 less the certificate_policy extension,
2024            * which is seriously obfuscated in OpenSSL.
2025            */
2026           /*
2027            * The basic_constraints extension CA:TRUE allows servers to
2028            * sign client certficitates.
2029            */
2030           fprintf(stderr, "%s: %s\n", LN_basic_constraints,
2031               BASIC_CONSTRAINTS);
2032           ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
2033               _UC(BASIC_CONSTRAINTS));
2034           if (!X509_add_ext(cert, ex, -1)) {
2035                     fprintf(stderr, "Add extension field fails\n%s\n",
2036                         ERR_error_string(ERR_get_error(), NULL));
2037                     return (0);
2038           }
2039           X509_EXTENSION_free(ex);
2040 
2041           /*
2042            * The key_usage extension designates the purposes the key can
2043            * be used for.
2044            */
2045           fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
2046           ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, _UC(KEY_USAGE));
2047           if (!X509_add_ext(cert, ex, -1)) {
2048                     fprintf(stderr, "Add extension field fails\n%s\n",
2049                         ERR_error_string(ERR_get_error(), NULL));
2050                     return (0);
2051           }
2052           X509_EXTENSION_free(ex);
2053           /*
2054            * The subject_key_identifier is used for the GQ public key.
2055            * This should not be controversial.
2056            */
2057           if (gqpub != NULL) {
2058                     fprintf(stderr, "%s\n", LN_subject_key_identifier);
2059                     ex = X509V3_EXT_conf_nid(NULL, NULL,
2060                         NID_subject_key_identifier, gqpub);
2061                     if (!X509_add_ext(cert, ex, -1)) {
2062                               fprintf(stderr,
2063                                   "Add extension field fails\n%s\n",
2064                                   ERR_error_string(ERR_get_error(), NULL));
2065                               return (0);
2066                     }
2067                     X509_EXTENSION_free(ex);
2068           }
2069 
2070           /*
2071            * The extended key usage extension is used for special purpose
2072            * here. The semantics probably do not conform to the designer's
2073            * intent and will likely change in future.
2074            *
2075            * "trustRoot" designates a root authority
2076            * "private" designates a private certificate
2077            */
2078           if (exten != NULL) {
2079                     fprintf(stderr, "%s: %s\n", LN_ext_key_usage, exten);
2080                     ex = X509V3_EXT_conf_nid(NULL, NULL,
2081                         NID_ext_key_usage, _UC(exten));
2082                     if (!X509_add_ext(cert, ex, -1)) {
2083                               fprintf(stderr,
2084                                   "Add extension field fails\n%s\n",
2085                                   ERR_error_string(ERR_get_error(), NULL));
2086                               return (0);
2087                     }
2088                     X509_EXTENSION_free(ex);
2089           }
2090 
2091           /*
2092            * Sign and verify.
2093            */
2094           X509_sign(cert, pkey, md);
2095           if (X509_verify(cert, pkey) <= 0) {
2096                     fprintf(stderr, "Verify %s certificate fails\n%s\n", id,
2097                         ERR_error_string(ERR_get_error(), NULL));
2098                     X509_free(cert);
2099                     return (0);
2100           }
2101 
2102           /*
2103            * Write the certificate encoded in PEM.
2104            */
2105           snprintf(pathbuf, sizeof(pathbuf), "%scert", id);
2106           str = fheader(pathbuf, "cert", hostname);
2107           PEM_write_X509(str, cert);
2108           fclose(str);
2109           if (debug)
2110                     X509_print_fp(stderr, cert);
2111           X509_free(cert);
2112           return (1);
2113 }
2114 
2115 #if 0     /* asn2ntp is used only with commercial certificates */
2116 /*
2117  * asn2ntp - convert ASN1_TIME time structure to NTP time
2118  */
2119 u_long
2120 asn2ntp   (
2121           ASN1_TIME *asn1time /* pointer to ASN1_TIME structure */
2122           )
2123 {
2124           char      *v;                 /* pointer to ASN1_TIME string */
2125           struct    tm tm;              /* time decode structure time */
2126 
2127           /*
2128            * Extract time string YYMMDDHHMMSSZ from ASN.1 time structure.
2129            * Note that the YY, MM, DD fields start with one, the HH, MM,
2130            * SS fiels start with zero and the Z character should be 'Z'
2131            * for UTC. Also note that years less than 50 map to years
2132            * greater than 100. Dontcha love ASN.1?
2133            */
2134           if (asn1time->length > 13)
2135                     return (-1);
2136           v = (char *)asn1time->data;
2137           tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
2138           if (tm.tm_year < 50)
2139                     tm.tm_year += 100;
2140           tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
2141           tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
2142           tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
2143           tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
2144           tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
2145           tm.tm_wday = 0;
2146           tm.tm_yday = 0;
2147           tm.tm_isdst = 0;
2148           return (mktime(&tm) + JAN_1970);
2149 }
2150 #endif
2151 
2152 /*
2153  * Callback routine
2154  */
2155 void
cb(int n1,int n2,void * chr)2156 cb        (
2157           int       n1,                 /* arg 1 */
2158           int       n2,                 /* arg 2 */
2159           void      *chr                /* arg 3 */
2160           )
2161 {
2162           switch (n1) {
2163           case 0:
2164                     d0++;
2165                     fprintf(stderr, "%s %d %d %lu\r", (char *)chr, n1, n2,
2166                         d0);
2167                     break;
2168           case 1:
2169                     d1++;
2170                     fprintf(stderr, "%s\t\t%d %d %lu\r", (char *)chr, n1,
2171                         n2, d1);
2172                     break;
2173           case 2:
2174                     d2++;
2175                     fprintf(stderr, "%s\t\t\t\t%d %d %lu\r", (char *)chr,
2176                         n1, n2, d2);
2177                     break;
2178           case 3:
2179                     d3++;
2180                     fprintf(stderr, "%s\t\t\t\t\t\t%d %d %lu\r",
2181                         (char *)chr, n1, n2, d3);
2182                     break;
2183           }
2184 }
2185 
2186 
2187 /*
2188  * Generate key
2189  */
2190 EVP_PKEY *                              /* public/private key pair */
genkey(const char * type,const char * id)2191 genkey(
2192           const char *type,   /* key type (RSA or DSA) */
2193           const char *id                /* file name id */
2194           )
2195 {
2196           if (type == NULL)
2197                     return (NULL);
2198           if (strcmp(type, "RSA") == 0)
2199                     return (gen_rsa(id));
2200 
2201           else if (strcmp(type, "DSA") == 0)
2202                     return (gen_dsa(id));
2203 
2204           fprintf(stderr, "Invalid %s key type %s\n", id, type);
2205           return (NULL);
2206 }
2207 
2208 static RSA*
genRsaKeyPair(int bits,char * what)2209 genRsaKeyPair(
2210           int       bits,
2211           char *    what
2212           )
2213 {
2214           RSA *               rsa = RSA_new();
2215           BN_GENCB *          gcb = BN_GENCB_new();
2216           BIGNUM *  bne = BN_new();
2217 
2218           if (gcb)
2219                     BN_GENCB_set_old(gcb, cb, what);
2220           if (bne)
2221                     BN_set_word(bne, 65537);
2222           if (!(rsa && gcb && bne && RSA_generate_key_ex(
2223                           rsa, bits, bne, gcb)))
2224           {
2225                     RSA_free(rsa);
2226                     rsa = NULL;
2227           }
2228           BN_GENCB_free(gcb);
2229           BN_free(bne);
2230           return rsa;
2231 }
2232 
2233 static DSA*
genDsaParams(int bits,char * what)2234 genDsaParams(
2235           int       bits,
2236           char *    what
2237           )
2238 {
2239 
2240           DSA *               dsa = DSA_new();
2241           BN_GENCB *          gcb = BN_GENCB_new();
2242           u_char              seed[20];
2243 
2244           if (gcb)
2245                     BN_GENCB_set_old(gcb, cb, what);
2246           RAND_bytes(seed, sizeof(seed));
2247           if (!(dsa && gcb && DSA_generate_parameters_ex(
2248                           dsa, bits, seed, sizeof(seed), NULL, NULL, gcb)))
2249           {
2250                     DSA_free(dsa);
2251                     dsa = NULL;
2252           }
2253           BN_GENCB_free(gcb);
2254           return dsa;
2255 }
2256 
2257 #endif    /* AUTOKEY */
2258 
2259 
2260 /*
2261  * Generate file header and link
2262  */
2263 FILE *
fheader(const char * file,const char * ulink,const char * owner)2264 fheader   (
2265           const char *file,   /* file name id */
2266           const char *ulink,  /* linkname */
2267           const char *owner   /* owner name */
2268           )
2269 {
2270           FILE      *str;               /* file handle */
2271           char      linkname[MAXFILENAME]; /* link name */
2272           int       temp;
2273 #ifdef HAVE_UMASK
2274         mode_t  orig_umask;
2275 #endif
2276 
2277           snprintf(filename, sizeof(filename), "ntpkey_%s_%s.%u", file,
2278               owner, fstamp);
2279 #ifdef HAVE_UMASK
2280         orig_umask = umask( S_IWGRP | S_IRWXO );
2281         str = fopen(filename, "w");
2282         (void) umask(orig_umask);
2283 #else
2284         str = fopen(filename, "w");
2285 #endif
2286           if (str == NULL) {
2287                     perror("Write");
2288                     exit (-1);
2289           }
2290         if (strcmp(ulink, "md5") == 0) {
2291           strcpy(linkname,"ntp.keys");
2292         } else {
2293           snprintf(linkname, sizeof(linkname), "ntpkey_%s_%s", ulink,
2294                    hostname);
2295         }
2296           (void)remove(linkname);                 /* The symlink() line below matters */
2297           temp = symlink(filename, linkname);
2298           if (temp < 0)
2299                     perror(file);
2300           fprintf(stderr, "Generating new %s file and link\n", ulink);
2301           fprintf(stderr, "%s->%s\n", linkname, filename);
2302           fprintf(str, "# %s\n# %s\n", filename, ctime(&epoch));
2303           return (str);
2304 }
2305